CVE-2024-1738
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/04/2024
Last modified:
10/01/2025
Description
An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation ID, due to the lack of project ID verification in the SQL query. As a result, attackers can gain access to potentially private data contained within the evaluation results.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:* | 1.2.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page